Set<T_heap> values stored in _set_store are invisible to conservative GC scan — sibling to #695

[aallan]

Summary

Sibling to #695. Set<T_heap> values stored in _set_store have the same architectural problem as Map<K, T_heap>: heap-allocated WASM blocks held only as Python ints in _set_store[handle] are invisible to the conservative GC scan. A $gc_collect triggered after the set is constructed will reclaim those blocks, leaving subsequent membership checks and iterations returning pointers to freed memory.

Surfaced during the analysis of #695 (which focuses on Map); the Set surface uses the identical mechanism but wasn't called out in the original report because the JObject/HtmlElement parsers exercise Map, not Set.

Root cause

_set_store is declared in vera/codegen/api.py line 2513:

_set_store: dict[int, set[object]] = {}

For Set<JObject> or Set<HtmlNode>, the set elements are i32 heap pointers — but they only exist in Python memory, not WASM linear memory. Same conservative-scan blind spot as #695: Phase 2a walks WASM heap blocks, never _set_store. The wrapper handle's bit-31 tagging makes it correctly skipped by the scan, but blocks pointed to only from _set_store[handle] are unreachable and get reclaimed.

Which Set element types are affected

• ✅ Vulnerable: Set<Json>, Set<HtmlNode>, Set<Md*>, any user Set<T> where T is heap-allocated (ADTs, lists, arrays, user records, …)
• ✅ Safe: Set<V_inline> where elements are inline scalars (Set<Int>, Set<Bool>, Set<Float>) — stored as Python primitives, no WASM heap pointer involved
• ✅ Safe: Set<String> — strings stored as Python str, re-encoded into WASM memory on iteration

Why this didn't surface earlier

Same reason as #695: existing tests construct a Set, immediately iterate or membership-check, and exit. No allocation between construction and use → no GC pressure → reachability bug latent. A test that does set_insert(heap_value) → trigger_large_alloc → set_contains(...) would surface it.

Fix

This will share a fix with #695. The three options outlined in #695's body (host-side WASM container per entry / extend Phase 2c tracing / serialise values into WASM at insertion) apply symmetrically: the per-entry WASM container approach generalises cleanly to both Map and Set with the same insertion-time hook.

Closing this issue together with #695 in the same PR is appropriate — the codegen surface is shared, the regression test pattern is parallel, and the architectural shape is identical.

Related

• #695 — Map sibling; this issue tracks the Set side of the same architectural family
• #570 / #515 / #593 / #692 — same missing-shadow-root bug class but in WAT-emitted code / host walk locals rather than host-side stores
• #578 — bit-31 handle tagging that makes the conservative scan correctly skip the handle field; this issue is the dual concern of "what the handle points to is also unreachable to the scan"

[aallan]

Empirical reproducer (verified — bug fires with VERA_EAGER_GC=1)

effect IO { op print(String -> Unit); }

public fn main(-> @Unit)
  requires(true) ensures(true) effects(<IO>)
{
  let @Result<Json, String> = json_parse("[1,2,3,4,5,6,7,8,9,10]");
  match @Result<Json, String>.0 {
    Ok(@Json) -> {
      let @Set<Json> = set_add(set_new(), @Json.0);
      let @Array<Json> = set_to_array(@Set<Json>.0);
      let @Int = array_fold(@Array<Json>.0, 0, fn(@Int, @Json -> @Int) effects(pure) {
        json_array_length(@Json.0) + @Int.0
      });
      IO.print(int_to_string(@Int.0))
    },
    Err(@String) -> IO.print("err")
  }
}

Symptom:

• Without VERA_EAGER_GC=1: prints 10 (correct: the JArray has 10 elements)
• With VERA_EAGER_GC=1: prints 0 (silent UAF — json_array_length reads from freed memory)

Same failure shape as #695: silent corruption, not a trap.

Attempted fix (Phase B.2 / C in fix/695-705-host-store-gc-reachability branch, reverted)

Tried mirroring the #695 fix for Sets: unify wrapper size at 12 bytes across WAT and Python paths, add an attach_bucket_to_wrapper(wrapper_ptr, kind, handle) host import called by _emit_wrap_handle after the wrap step, and a Python-side _attach_bucket_from_set that allocates a WASM bucket array mirroring _set_store[handle] and writes the bucket pointer to wrapper+8.

All 1130 codegen tests stayed green throughout. But the empirical Set reproducer above still printed 0 even with the attach-bucket plumbing in place.

What was tried and didn't work

1. Initial wiring: add the host import call after _emit_wrap_handle's gc_shadow_push. Test still fails with 0.
2. Shadow-push wrapper inside _attach_bucket_from_set (redundant with the outer gc_shadow_push from _emit_wrap_handle, defensive). Test still fails.
3. Shadow-push existing heap-pointer elements BEFORE the bucket array alloc, so the elements survive any GC fired by the bucket alloc itself. Test still fails.

Step 3 was the analogous fix to the one that worked for _alloc_map_wrapper in #695 (where pre-pushing the wrapper was the critical detail). For Sets it should be the same shape: push the elements (which are heap pointers), then alloc the bucket. But the test still prints 0.

Debug observations that don't yet add up

Adding print statements to _attach_bucket_from_set showed:

• set_new produced wrapper at 0x241b7
• set_add produced wrapper at 0x2419f
• _set_store[2] = {147895} where 147895 == 0x241b7

The set element value (147895 = 0x241b7) equals wrapper_A's address. The element passed to set_add should be the JArray's heap pointer, not a wrapper address. Either:

• The JArray was reclaimed before set_new allocated wrapper_A, and wrapper_A was placed at the freed address; the element we then pass to set_add was a stale read from somewhere that already pointed at the now-reused address.
• Or the WAT codegen for set_add is loading from a wrong slot (operand stack confusion).

This is the unfinished debugging thread. The next session should:

1. Add a print inside the set_add$eb host function to capture the element value at entry — confirm it's the JArray pointer, not a wrapper.
2. Look at the actual emitted WAT for let @Set = set_add(set_new(), @Json.0) and trace what value @Json.0 resolves to.
3. Check whether @Json is being shadow-pushed at the match-arm binding site — if not, GC during set_new's alloc could reclaim the JArray before set_add runs.

Related context

• #695 — Map sibling, Phase B.1 fix landed
• #692 — host-walker GC rooting (same bug class, in a different code path)
• _alloc_map_wrapper shadow-push fix in commit 8b59454 — the precedent for the Set fix that I tried to mirror

Current branch state

fix/695-705-host-store-gc-reachability carries the Phase A bucket helpers and the Phase B.1 Map fix. The Phase B.2/C Set work was reverted at end-of-session to keep the branch in a known-good state. The empirical reproducer above is the concrete failing target for the next attempt.

[aallan]

Fix landed — here's what was actually wrong and what I did

Following up on the earlier "what didn't work" comment: the empirical reproducer surfaced two orthogonal root causes that both needed addressing. Either fix alone was insufficient. The Set bug was empirically closing only when both went in together.

Root cause 1: match-arm and let-binding shadow-rooting gap

The bigger find. I was operating under the assumption that Vera bindings of heap-pointer values were always shadow-rooted. They aren't. Specifically:

• Vera function calls shadow-push their parameters at the prologue (verified in $json_get WAT output — first thing after locals is gc_shadow_push of every i32 parameter).
• Match-arm bindings (e.g. Ok(@Json) -> ... extracting @Json from a Result<Json, String>) just emit local.set with no shadow-root.
• Let bindings (let @Set = build_set()) do the same — local.set only, no shadow-root.

In normal code this mostly works because between binding and use there's often no allocation that fires GC. When the next thing you do is call a Vera function, that function's prologue shadow-pushes the arg (the binding's value) and the heap block survives.

But for code like:

let @Set = set_add(set_new(), @Json.0)

The translation evaluates set_new() first. set_new's wrap step in _emit_wrap_handle allocates the 12-byte wrapper. Under VERA_EAGER_GC=1, that alloc fires GC. At that moment @Json is in a WASM local but NOT on the shadow stack — the conservative scan misses it, sweep reclaims the Json block. By the time @Json.0 loads the local for the set_add call, it loads a stale pointer.

This is why my earlier element-shadow-push fix at the _translate_set_add site didn't work: it was too late. The Json had already been reclaimed during set_new()'s wrap step, before set_add was even reached.

Fix: shadow-push at the binding site.

• vera/wasm/data.py::_extract_constructor_fields — for BindingPattern sub-patterns of ConstructorPattern, after local.set local_idx, emit gc_shadow_push(local_idx) if the slot is i32 and the type is not in _INLINE_I32_TYPES ({Bool, Byte, Unit} — the inline scalars).
• vera/wasm/context.py — for LetStmt, same shape: after local.set local_idx, emit shadow-push for heap-pointer types. Also set self.needs_alloc = True to ensure $gc_sp / $gc_stack_limit globals are emitted (without this, simple programs with no other allocations had unresolved-global errors).

The function epilogue's gc_sp restore handles pop on exit, so shadow stack stays bounded.

Root cause 2: WAT-allocated wrappers didn't have bucket arrays

The #695 fix (commit 8b59454) added bucket arrays to wrappers allocated by _alloc_map_wrapper in vera/codegen/api.py — the Python-side path that JSON/HTML/Markdown parsers use. But user-level set_new/set_add/map_new/map_insert go through a different path: the WAT codegen in vera/wasm/calls_containers.py::_emit_wrap_handle, which was still allocating 8-byte wrappers without bucket arrays.

So even after fix 1 makes the @Json survive through set_new()'s wrap, the resulting Set wrapper has no bucket — its element (the Json pointer) lives only in _set_store[handle], invisible to GC. When build_set returns and @Json goes out of scope, the only chain to the Json is via _set_store (Python). Next allocation in main reclaims it.

Fix: unify the wrapper layout and add bucket population for WAT-allocated wrappers too.

• vera/wasm/calls_containers.py::_WRAPPER_BODY_SIZE = 12 (was 8) — matches api.py. _emit_wrap_handle writes 0 at +8 by default (default bucket_ptr).
• After the existing gc_shadow_push wrapper_temp, emit call $vera.attach_bucket_to_wrapper(wrapper_ptr, kind, handle).
• New host import attach_bucket_to_wrapper in vera/codegen/api.py dispatches on kind:
  • kind == 1 (Map): _attach_bucket_from_dict(caller, wrapper_ptr, _map_store.get(handle, {})).
  • kind == 2 (Set): _attach_bucket_from_set(caller, wrapper_ptr, _set_store.get(handle, set())).
  • kind == 3 (Decimal): no-op (PyDecimal is value-typed, no heap pointers to root).
• WAT-side import declaration in vera/codegen/assembly.py.

Critical performance fix: ordering in the populator

My first cut of _attach_bucket_from_dict pre-pushed every value onto the shadow stack before the bucket alloc. This works for small maps but the TestHostHandleReclamation573::test_map_chain_reclaims_transients test (10000-iteration map_insert chain) exposed it: the per-iteration attach_bucket_to_wrapper call would push thousands of values, overflowing the 16K-entry shadow stack region.

Failure shape was clean: RuntimeError: #692: host shadow-stack overflow (sp=16384, limit=16384).

Fix: change the ordering so the bucket slot itself roots the value, no pre-push needed:

for i, (k, v) in enumerate(d.items()):
    slot_base = bucket_ptr + i * _SLOT_SIZE
    # Write val_word FIRST (no alloc).  This roots any heap-pointer
    # value via wrapper → bucket → slot before the key-string alloc
    # can fire GC.
    val_word = v if isinstance(v, int) else 0
    _write_i32(caller, slot_base + 8, val_word)
    if isinstance(k, str):
        key_ptr, key_len = _alloc_string(caller, k)
        _write_i32(caller, slot_base, key_ptr)
        _write_i32(caller, slot_base + 4, key_len)
    else:
        _write_i32(caller, slot_base, k if isinstance(k, int) else 0)
        # key_word_1 already 0 from bucket zero-init.

The bucket array is already on the shadow stack (guard.push(bucket_ptr)). Writing val_word into the slot makes the value reachable via wrapper → bucket → slot, so any subsequent allocation (the key string) can safely fire GC. No per-value shadow stack pushes needed. Set version follows the same pattern with _word_1 and val_word left at zero (Set elements live in key_word_0).

This is a general pattern worth keeping in mind: "populate a heap-reachable structure with values that aren't yet rooted" → write into the structure before any allocation, exploit the structure's existing rooting.

Empirical validation

• tests/test_codegen.py::TestMapHostStoreGCReachability695::test_eager_gc_set_of_json_post_walk_uaf — the empirical reproducer from this issue's body now passes with VERA_EAGER_GC=1.
• The Map sibling test (test_eager_gc_json_object_with_array_child_post_walk_uaf from Map<K, T_heap> values stored in _map_store are invisible to conservative GC scan — post-walk reachability of JObject children #695) still passes.
• All 1555 tests in tests/test_codegen.py + tests/test_conformance.py pass.
• TestHostHandleReclamation573 (10 tests including the 10000-iter reclamation chains) all pass — reclamation discipline preserved because bucket arrays die naturally with their wrappers via the same mark-sweep that already handled the wrappers.
• TestHostWalkerGCRooting692 (6 tests) all pass — the host-side tree walker discipline (where the original html_parse and json_parse trap with Out-of-bounds memory access on inputs that pressure GC during host-side tree walk #692 lived) is untouched.

What's deferred

• Browser runtime parallel (vera/browser/runtime.mjs) — has its own JS-side _map_store / _set_store analogs with the same architectural shape. Needs the parallel fix before the browser target is correct under similar workloads. Tracking as the next item.
• Architectural cleanup (delete _map_store / _set_store entirely, route reads through the bucket array) — pure refactor, no behaviour change once landed. Worth doing for code clarity but doesn't gate correctness.

Closing this issue via the PR's Closes #705 footer.